Hi,
One of the routers have a bug where WPA3 network doesn't work. Can second router be used in WPA2/WPA3 mode or does it need to be set to 'only WPA2' as well?
How can I check if roaming 'works'?
The short answer would be 'no'.
Both WPA3/ WPA2 mixed-mode and WPA3 with fast transitions are 'difficult' to begin with, let alone in combination, but it only works -at all- if the same access credentials is shared among all APs.
but it only works -at all- if the same access credentials is shared among all APs.
Sure. All APs have the same password set. The only difference would be encryption mode.
The short answer would be 'no'.
So both need to be set to 'WPA2 only' (I assume that is the answer as I made an 'or' question).
In other words, no, they are not the same.
Coming from a connection with WPA3SAE, your client cannot fast-transition to WPA2/CCMP (it doesn't even matter if the ESSID/PSK happen to be the same).
1 Like
Adding to this.... even without 802.11r, using 2 different encryption methods isn't best practice. Besides, the security of your network isn't improved by adding a WPA3 or WPA2/3 mixed mode AP because the WPA2 mode still exists in your network.
It does make sense to offer WPA2PSK/ CCMP and WPA3/SAE on different (v)APs, even if you bridge them to the same LAN (behind wpad's back), both to get as much traffic away from WPA2, to draw a clear line into the sand which devices can do it and which can't, as well as WPA3 being a hard requirement for using 6 GHz channels, but mixed-mode is something best avoided (as the legacy clients not supporting WPA3 are likely not to cope with mixed-mode either - and those are plenty, even some which could do WPA3/SAE-only just fine, but fail to work with mixed-mode), even before thinking about 802.11r. Fast-transitioning is problematic with WPA3 to begin with, but in combination with mixed-mode and some APs which can't do WPA3, it's a total no-go.
1 Like
Fair point!
Yeah... mixed mode reminds me of this joke:
"Platform independent software is software that doesn't run on any platform"
Agreed. You've probably seen that my general advice is to disable 802.11r if it doesn't 'just work' since so many devices just don't play nice.
Correct me if I'm wrong but there is small improvement. Sure - if WPA2 is broken now it allows attacker to get onto network but WPA3 adds forward secrecy. If there is a client on WPA3 and communication is not broadcasted than even breaking password will not reveal the communication retroactively.
but mixed-mode is something best avoided (as the legacy clients not supporting WPA3 are likely not to cope with mixed-mode either - and those are plenty, even some which could do WPA3/SAE-only just fine, but fail to work with mixed-mode), even before thinking about 802.11r. Fast-transitioning is problematic with WPA3 to begin with, but in combination with mixed-mode and some APs which can't do WPA3, it's a total no-go.
Ok. Thanks. For future reference what is problem with fast transitioning and WPA3?
You're not wrong... @slh actually covered it... there is a benefit 
Client interoperability (and two different AKM-cipher suites of 802.11r for WPA3)[0], it's a mess, to say the least.
--
[0] The different AKM suite for 802.11r may cause clients not even seeing the WPA3 network, or failing to auth.
1 Like